IFLA Publishes a Statement on Privacy in the Library Environment

At its 14 August 2015 meeting in Cape Town, South Africa, the IFLA Governing Board endorsed an IFLA Statement on Privacy in the Library Environment. The FAIFE Committee oversaw preparation of the Statement and benefitted from consultation with IFLA units and various Internet civil liberties advocacy organisations.

This new Statement on Privacy in the Library Environment is intended to give guidance to libraries and information services in an environment that includes mass surveillance by governments and routine user data collection by commercial interests that provide content or services through the Internet. Risks to library users’ privacy might arise through their use of search or social media applications on the Web or their use of library platforms and content that collect data on end users.

The statement describes current challenges to the protection of user privacy for libraries and information services, outlines relevant international statements of privacy as a right and identifies related IFLA policies. Finally, the Statement on Privacy in the Library Environment offers recommendations to libraries and information services around both advocacy for privacy protection and practical measures to protect user privacy in libraries. It recognises that libraries and information services have little ability to affect some kinds of data collection about their users, and encourages appropriately adjusting local library data collection practices, considering privacy concerns in procuring platforms and services, informing and educating users of risks and best practices, and participating in community efforts to promote the protection of privacy.

Introduction

The rapid advancement of technology has resulted in increasing privacy implications for library and information services, their users, and society. Commercial Internet services, including those used to deliver library and information services, collect extensive data on users and their behaviour. They may also sell data about their users to third parties who then act on the data to deliver, monitor or withhold services. Using identification and location technology, governments and third parties can analyse a library user’s communication and activities for surveillance purposes or to control access to spaces, devices and services. Excessive data collection and use threatens individual users’ privacy and has other social and legal consequences. When Internet users are aware of large-scale data collection and surveillance, they may selfcensor their behavior due to the fear of unexpected consequences. Excessive data collection can then have a chilling effect on society, narrowing an individual’s right to freedom of speech and freedom of expression as a result of this perceived threat. Limiting freedom of speech and expression has the potential to compromise democracy and civil engagement.

Privacy as a right

Freedom of access to information and freedom of expression, as expressed in Article 19 of the Universal Declaration of Human Rights, are essential concepts for the library and information profession. Privacy is integral to ensuring these rights. Privacy is defined as a human right in Article 12 of the Universal Declaration that states “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.” Privacy is essential to enable access and use of information without fear of consequences. Electronic surveillance, interception of digital communications and mass collection of personal data negatively impact on freedom of expression and freedom of information. In recognition of this, the United Nations General Assembly in 2013 and 2014 adopted resolutions on the “Right to privacy in the digital age,” calling all countries to “respect and protect the right to privacy, including in the context of digital communication.”

Privacy in libraries

Individual library and information service policies traditionally value privacy and confidentiality for users. These principles are reflected in the IFLA Internet Manifesto as a specific statement: “Library and information services …have a responsibility to… strive to ensure the privacy of their users, and that the resources and services that they use remain confidential.” The IFLA Code of Ethics identifies respect for personal privacy, protection of personal data, and confidentiality in the relationship between the user and library or information service as core principles. Users´ privacy in libraries has become widely challenged. Commercial content and service providers used by library and information services may collect data on users´ activities, communications, and transactions or require that libraries collect data as a condition of providing their content or services. Cloud-based library systems may transfer and store users’ data outside of the library or information service. When library and information services offer services on mobile devices, the services may collect identity and location data, track the use of the library or information service, and share the data with third parties. Library and information services have the opportunity to make independent decisions about local system and data management. Library and information services can decide what kind of personal data they will collect on users and consider principles of data security, management, storage, sharing and retention. They can negotiate with commercial service providers to ensure the protection of users’ privacy, refuse to acquire services that collect excessive data, or limit the use of technologies that could compromise users’ privacy. However, library and information services’ opportunities to influence, regulate or gain reliable knowledge of the data collection practices of commercial vendors or government institutions may be limited.

Recommendations

• Library and information services should respect and advance privacy both at the level of practices and as a principle.

• Library and information services should support national, regional and international level advocacy efforts (e.g. by human rights and digital rights organisations) to protect individuals’ privacy and their digital rights and encourage library professionals to reflect on these issues.

• Library and information services should reject electronic surveillance and any type of illegitimate monitoring or collection of users’ personal data or information behaviour that would compromise their privacy and affect their rights to seek, receive and impart information. They should take measures to limit collection of personal information about their users and the services that they use.

• While government access to users´ data and data surveillance cannot be completely avoided, library and information services should ensure that intrusion in users’ information or communications by government is based on legitimate principles for such practices and necessary and proportionate to legitimate aims (e.g. described in “International Principles on the Application of Human Rights to Communications Surveillance”).

• When library and information services provide access to resources, services or technology that may compromise users’ privacy, libraries should encourage users to be aware of the implications and provide guidance in data protection and privacy protection.

• Library and information services should support their users’ ability to make informed choices, take legitimate actions and weigh risks and benefits in their communications and use of services on the Internet.

• Data protection and privacy protection should be included as a part of the media and information literacy training for library and information service users. This should include training on tools to use to protect their privacy.

• The education of library and information professionals should include data and privacy protection principles and practices in a networked environment. Endorsed by the IFLA Governing Board on 14 August 2015.